Bug 1395040 - vagrant nfs exports race
Summary: vagrant nfs exports race
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: vagrant
Version: 24
Hardware: All
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Vít Ondruch
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-15 02:00 UTC by Aron Griffis
Modified: 2016-11-30 05:27 UTC (History)
1 user (show)

Fixed In Version: vagrant-1.8.1-3.fc23 vagrant-1.8.1-5.fc24 vagrant-1.8.5-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-29 23:52:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github https://github.com/mitchellh vagrant issues 7938 None None None 2016-11-15 02:00:32 UTC
Red Hat Bugzilla 1392727 None None None Never

Internal Links: 1392727

Description Aron Griffis 2016-11-15 02:00:32 UTC
Description of problem:
vagrant has a tempfile race that can allow an unprivileged local user to insert arbitrary nfs exports.

Version-Release number of selected component (if applicable):
anything older than 1.8.7

Steps to Reproduce:
See https://github.com/mitchellh/vagrant/issues/7938

Here's the exploit steps I provided to hashicorp's security email:

1. Attacker creates file ahead of time, writable so cp will succeed.

touch /tmp/exports
chmod a+rw /tmp/exports

2. Attacker uses inotifywait to watch for file modifications (indicating the cp) and immediately substitute or append an export that allows them to access files they shouldn't.

3. Vagrant user with sudo privs does "vagrant up". This does the cp/sed sequence on /tmp/exports. (If sudo asks for a password then the race is exceptionally in the attacker's favor)

Additional info:
It's fixed in 1.8.7.

Comment 1 Andrej Nemec 2016-11-18 13:39:33 UTC
This is already public and has an upstream patch available, we can update the packages in Fedora to the latest upstream version to prevent it. There is no CVE assignment and the issue is lower because it needs local access.

Comment 2 Fedora Update System 2016-11-18 13:50:06 UTC
vagrant-1.8.5-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2

Comment 3 Fedora Update System 2016-11-18 13:50:46 UTC
vagrant-1.8.1-5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47

Comment 4 Fedora Update System 2016-11-18 13:51:31 UTC
vagrant-1.8.1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8

Comment 5 Fedora Update System 2016-11-18 20:27:22 UTC
vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2

Comment 6 Fedora Update System 2016-11-19 08:56:29 UTC
vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8

Comment 7 Fedora Update System 2016-11-19 18:50:30 UTC
vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47

Comment 8 Fedora Update System 2016-11-29 23:52:42 UTC
vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-11-30 03:52:05 UTC
vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-11-30 05:27:32 UTC
vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.